Linux worm spreading via Exim servers hit Azure customers

On Friday, security experts at Microsoft warned of a new Linux worm, spreading via Exim email servers, that already compromised some Azure installs.

Bad actors continue to target cloud services in the attempt of abusing them for several malicious purposes, like storing malware or implementing command and control servers.

Microsoft Azure is not immune, recently experts reported several attacks leveraging the platform to host tech-support scam and phishing templates.

Researchers already warned of the presence of some malware on the Microsoft Azure platform.

At the end of last week, Microsoft warned of a new Linux worm, spreading via Exim servers, that already compromised some Azure installs.

Recently security experts reported ongoing attacks targeting millions of mail servers running vulnerable Exim mail transfer agent (MTA) versions. Different groups of hackers are exploiting the CVE-2019-10149 flaw to take over them.

The critical vulnerability affects versions 4.87 to 4.91 of the Exim mail transfer agent (MTA) software. The flaw could be exploited by unauthenticated remote attackers to execute arbitrary commands on mail servers for some non-default server configurations.

The CVE-2019-10149 issue resides in the deliver_message() function in /src/deliver.c and it is caused by the improper validation of recipient addresses. The flaw could lead to remote code execution with root privileges on the mail server, unfortunately, the vulnerability is easily exploitable by a local and a remote attacker in certain non-default configurations

The CVE-2019-10149 flaw was addressed the Exim’s development team with the release of version 4.92 in February, but a large number of operating systems are still affected by the flaw.

“CVE-2019-10149, which was first discovered on June 5, is now being used as the vulnerability for a widespread campaign to attack exim servers and propagate across the Internet.” reads a blog post published by Cybereason.

“We are aware of an initial wave of attacks as described by Freddie Leeman on June 9, 2019. The first hacker group began pushing exploits from a C2 server located on the clear web. A second round of attacks by a different attacker are being analyzed by the Nocturnus team.”

Attackers are scanning the internet for vulnerable mail servers then when they will be compromised the initially deployed script will download a second script designed to check if OpenSSH is installed on the compromised machine.

In case OpenSSH is not present, it will install it and start it to gain root logins via SSH using a private/public RSA key for authentication.

Microsoft has now detected a Linux worm that leverages the above flaw in vulnerable Linux Exim email servers in a cryptojacking campaign.

“This week, MSRC confirmed the presence of an active Linux worm leveraging a critical Remote Code Execution (RCE) vulnerability, CVE-2019-10149, in Linux Exim email servers running Exim version 4.87 to 4.91. Azure customers running VMs with Exim 4.92 are not affected by this vulnerability.” reads the advisory published by Microsoft.

Microsoft pointed out that Azure has already implemented controls to limit the spread of this Linux worm, but warns customers of using up to date software to prevent the infection. 

“Customers using Azure virtual machines (VMs) are responsible for updating the operating systems running on their VMs.” continues the advisory. “As this vulnerability is being actively exploited by worm activity, MSRC urges customers to observe Azure security best practices and patterns and to patch or restrict network access to VMs running the affected versions of Exim.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Exim, Linux worm)

[adrotate banner=”5″]

[adrotate banner=”13″]